terraform-provider-vault icon indicating copy to clipboard operation
terraform-provider-vault copied to clipboard

Published 20 hours ago verified publisher icon hashicorp

[Bug]: permission denied: invalid token

Open Spanfile opened this issue 5 months ago • 0 comments
trafficstars

Terraform Core Version

1.12.1

Terraform Vault Provider Version

5.0.0

Vault Server Version

1.19.4

Affected Resource(s)

vault_policy but likely also others

Expected Behavior

Works across multiple applies

Actual Behavior

Applying for the first time works, but applying a second time Vault returns an error about an invalid token. Running terraform with TF_LOG=debug shows the provider's HTTP request:

[DEBUG] provider.terraform-provider-vault_v5.0.0_x5: ---[ REQUEST ]---------------------------------------
[DEBUG] provider.terraform-provider-vault_v5.0.0_x5: GET /v1/auth/token/lookup-self HTTP/1.1
[DEBUG] provider.terraform-provider-vault_v5.0.0_x5: Host: vault:8200
[DEBUG] provider.terraform-provider-vault_v5.0.0_x5: User-Agent: Go-http-client/1.1
[DEBUG] provider.terraform-provider-vault_v5.0.0_x5: X-Vault-Request: true
[DEBUG] provider.terraform-provider-vault_v5.0.0_x5: X-Vault-Token: hmac-sha256:<hash>
[DEBUG] provider.terraform-provider-vault_v5.0.0_x5: Accept-Encoding: gzip
[DEBUG] provider.terraform-provider-vault_v5.0.0_x5
[DEBUG] provider.terraform-provider-vault_v5.0.0_x5
[DEBUG] provider.terraform-provider-vault_v5.0.0_x5: -----------------------------------------------------

I'm not too familiar with how Vault handles tokens but is an hmac-sha256 a valid token?

Relevant Error/Panic Output Snippet

│ Error: failed to lookup token, err=Error making API request.
│
│ URL: GET https://vault:8200/v1/auth/token/lookup-self
│ Code: 403. Errors:
│
│ * 2 errors occurred:
│       * permission denied
│       * invalid token
│
│
│
│   with module.vault_bootstrap.vault_policy.admin,
│   on vault/bootstrap/main.tf line 10, in resource "vault_policy" "admin":
│   10: resource "vault_policy" "admin" {

Terraform Configuration Files

main.tf:

provider "vault" {
  alias   = "vault_root_token"
  address = "https://vault:8200"
  token   = ...}

module "vault_bootstrap" {
  source = "./vault/bootstrap"
  providers = {
    vault = vault.vault_root_token
  }
}

Module vault/bootstrap/main.tf:

terraform {
  required_providers {
    vault = {
      source  = "hashicorp/vault"
      version = "5.0.0"
    }
  }
}

resource "vault_policy" "admin" {
  name   = "admin"
  policy = file("${path.module}/policies/admin.hcl")
}

Steps to Reproduce

  1. Apply for the first time without existing state
  2. Apply again afterwards with existing state

Debug Output

No response

Panic Output

No response

Important Factoids

No response

References

No response

Would you like to implement a fix?

None

Spanfile avatar May 31 '25 16:05 Spanfile